Twitter Phishing: Protecting Yourself

A funny thing happened on the way to the forum. Or at least, a funny thing happened over the weekend with regards to Twitter, spam and phishing (from Chris Pirillo). I really had no plans to outline my thoughts on the scam, because it isalready beingcoveredad nauseum. However, I feel like I have to anyway.

The scam operates like any typical Windows worm and begins with a DM from a victimized Twitter follower. That direct message contains a link to a malicious (and unnamed) domain that screams “password stealing”. Nevertheless, gullible Twitter users click on the link and enter a page that looks an awful lot like the Twitter.com login screen (okay, it looks identical). The user enters login information thinking they are logging into Twitter and, in the blink of the eye, a malicious site has access to your Twitter account information.

This is a very important concept to get. The user inadvertently gives Twitter account login information to a malicious site. I will rail more on this concept in a bit. Keep it in your mind.

The malicious site then proceeds to send DMs with the infectious link on behalf of the user. I have gotten seven of these in the past 24 hours.

Folks, Twitter is like email. You can be infected by the innocence of friends, Please be careful. You really don’t want a malicious sites having access to confidential business ideas, your common and unchanging password that you use everywhere, or intoxicatingly passionate messages to your lover. Be wary of this scam and tread lightly. If you get a message like this, contact the sender and advise them to change their password immediately. Unlike email worms, you cannot be affected by merely looking at the DM – only by clicking the link.

There are several problems here, as there are with most internet security problems. One is the technical problem (site can login and perform actions on your behalf). The other is a psychological problem (Twitter users giving away their username and password to untested, unvetted and untrusted third parties).

Twitter promises that they are working on a solution to the technical problem and that it will look like some form of OAuth, an authentication protocol similar to OpenID for application to application authentication. OAuth, when instituted, promises to provide a passwordless trust and authentication framework that should solve the problem that requires third party Twitter apps to request a users login information. However, for all their promises and the urgency that is increasing among developers, Twitter does not seem to be in a hurry to provide this protocol.

Additionally, computer users have been relentlessly brainwashed by anti-virus companies, corporate computing policies and other persistent reminders, to adhere to basic security practices. Don’t open attachments from unknown users. Run anti-virus. Use hard to guess passwords and change them often. And so on. And so forth. Folks, these concepts are basic life-guiding principles and apply on the web too. Don’t give away your username and password to anyone. Ever. Unless they are vetted and trusted by you and you understand what the ramifications are.

In the absence of an OAuth-style technical release from Twitter, and the lack of consistent user discipline, it is my recommendation that Twitter users no longer provide third party apps with their login information, regardless of how compelling the app is. It is not safe and it is an unwise security practice that flies in the face of everything you have been learning for years when it comes to your own personal computing practices. Twitter apps are defined as anything Twitter related that is not directly on the twitter.com domain.

Aaron Brazell is a Baltimore, MD-based WordPress developer, A Sr. Web Enginner at 10up, a co-founder at WP Engine, WordPress core contributor and author. He wrote the book WordPress Bible and has been publishing on the web since 2000. You can follow him on Twitter, on his personal blog and view his photography at The Aperture Filter.

http://nikolasschiller.com/blog/ Nikolas Schiller

I also noticed that Twitter has added the warning text:Warning! Don’t sign in to fake Twitter.com from a DM. Read more on our blog.

However, when it comes down to jargon, I wonder how many n00bz know what a DM is? In Twitter’s blog entry there is no mention of the word DM.

Andre

Hello:
A good and simple way to be sure you’re on the real thing when asked for user and password info is to give it anything BUT the correct info. If the site swallows it, you’re sure it is fake.